Zoom’s video conferencing software has been all over the news recently. With the COVID-19 crisis, the program has seen more use than ever before. This means that its security features and privacy practices have been put under a true trial-by-fire. 

With a multitude of news articles stating that it has security problems, it can be difficult to truly get a sense of where things stand. Which identified problems have been resolved? What are the current risks? Is this likely to be a recurring issue for the program? 

Here’s what you need to know about the security and privacy concerns that have been raised about Zoom since March:

Problem: Zoom “attention-tracking” feature unfairly monitors meeting participants.

On March 16, Vice highlighted a specific Zoom feature called “attention-tracking”, which many people argue enables unfair surveillance of employees. During a meeting, if the feature was turned on by the meeting host, an indicator appeared next to a meeting participant if he/she clicked out of the active Zoom window for more than 30 seconds. This feature could only be deactivated if the meeting host allows it. 

Besides the privacy concerns, Zoom's lack of note-taking functionality meant that users were compelled to exit the main window if they wanted to write anything down. The program's features are at odds with each other.  

Status: Resolved – Controversial feature removed by Zoom.

On April 2, a note on Zoom’s support page announced that the attention-tracking feature had been removed.

Problem: Zoom found to be sending user device analytics data to Facebook.

On March 26, a study by Motherboard showed that Zoom was sending certain data to Facebook, even if a Facebook account is not connected to Zoom or the user doesn’t have a Facebook account. Vice stated: “The Zoom app notifies Facebook when the user opens the app, details on the user's device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user's device which companies can use to target a user with advertisements.” 

According to Vice, this happens frequently with Facebook since many apps use the software development kits (SDKs) from the social media platform to add features to apps, which results in data automatically being transmitted. Unfortunately, Zoom didn't disclose that this was taking place in their privacy policy, raising a number of concerns. 

Status: Resolved – Zoom removed Facebook SDK.

On March 27, Vice reported that the Facebook SDKs that were causing the data transfer had been removed, which was confirmed by Motherboard.

Problem: Zoom’s installation on MacOS devices deemed ‘shady’.

On March 31, a software engineer at malware tracker VMRay discovered that the Mac app installer used pre-installation scripts which allowed the app to be installed without final user consent and displayed a ‘misleading’ prompt in order to gain root privileges, which are tactics normally employed by malware.

Status: Resolved – Zoom changed installation process.

On April 2, The Verge announced that Zoom issued an update that changed the way the app was installed. Now users have to click through every prompt to manually install Zoom on MacOS.

Problem: Zoom meetings are not end-to-end encrypted, despite telling users that they are.

On March 31, The Intercept reported that the video and audio content of Zoom meetings are not protected with end-to-end encryption, directly contradicting numerous statements made by the company. Instead, Zoom uses “transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings”, according to The Intercept. 

While software engineers admit that it is difficult to provide end-to-end encryption for group video calls, they point out that if that is the case (as it is with other apps like Google Hangouts), Zoom should be stating that directly. However, Zoom stated that they take privacy “extremely seriously” and that they have “layered safeguards in place to protect our users’ privacy, which includes preventing anyone, including Zoom employees, from directly accessing any data that users share during meetings.”

Status: Partially resolved – Zoom clarified its encryption practices.

While Zoom has not introduced end-to-end encryption, they chose instead to leave the encryption system in place as it was, but published a blog post on April 1 explaining their encryption practices in detail.

Problem: Zoom is automatically leaking email addresses and photos to random users.

On April 1, Vice reported that Zoom’s ‘Company Directory’ feature had a flaw. This feature is intended to connect people within one company based on their shared email domain name. Theoretically, when a user creates an account with an email domain name for a business, all other users with that same domain name would automatically be added to their contacts, displaying each person’s full name, email address, and profile picture. 

Problems arose when people created accounts using personal email addresses (other than the most popular domains like Gmail, Hotmail, or Yahoo). The information of hundreds of other users that they didn’t know, but who shared the same domain, became available to them. This seems to have happened primarily with specific Dutch internet service providers.

Status: Mostly resolved – Zoom continuously updates blacklist of domains and advises users to contribute.

In the same report on April 1, Vice quoted a Zoom spokesperson addressing the issue: "Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added.” Zoom added those domains that were reported to their blacklist, but has not disabled the Company Directory as a default feature, so the risk is still present. Zoom also has a section on their website where users can submit domain names to be added to the blacklist.

Problem: Zoom feature was automatically displaying information from users’ LinkedIn profiles.

On April 2, The New York Times reported that the LinkedIn Sales Navigator feature, when enabled, would automatically connect users to their LinkedIn profiles and display that data to other meeting participants. Compounding this, the system did not notify users when their data was being viewed.

Status: Resolved – Zoom removed the feature in question.

In the same article, NYT stated that in response to these inquiries from Times reporters, a statement from Zoom said that they were “removing the LinkedIn Sales Navigator to disable the feature on our platform entirely.”

Problem: New automated tool is able to guess Zoom meeting IDs.

On April 2, security expert Brian Krebs reported that a recently-developed tool called zWarDial can automatically find approximately 100 Zoom meeting IDs per hour, or roughly 2,400 meetings in one day of scanning. This should not be the case with password-protected meetings. Zoom stated that, by default, all of their meetings automatically have passwords, but the tool still found large numbers of meetings that were not manually password-protected. This calls into question whether the automatic password feature is properly functioning.

Status: Partially resolved – Zoom urges users to set passwords.

A statement to The Verge the same day said that Zoom “strongly encourages users to implement passwords for all of their meetings to ensure uninvited users are not able to join.” If the meeting is specifically set up with a password, the automated tool was unable to discover its information.

Problem: Some North American Zoom calls were routed through China.

On April 3, TechCrunch reported that Citizen Lab had discovered that some calls made in North America, along with their encryption keys, were routed through Chinese servers. Zoom said it was done to accommodate the nearly 200 million users per day: “During normal operations, Zoom clients attempt to connect to a series of primary data centers in or near a user’s region, and if those many connection attempts fail due to network congestion or other issues, clients will reach out to two secondary data centers off of a list of several secondary data centers as a potential backup bridge to the Zoom platform,” as Zoom founder Eric Yuan said to TechCrunch. 

Zoom had accidentally whitelisted two of its Chinese servers to allow them to act as backup servers when the primary servers were too congested. Because Zoom calls are not encrypted end-to-end, Chinese authorities would be able to demand the encryption keys from Zoom on calls routed through servers within Chinese borders, allowing them to decrypt the data in the calls.

Status: Resolved – Zoom removed Chinese servers from whitelist.

In the same article, it was reported that Zoom had fixed the mistake in the whitelisting of Chinese servers, so they should no longer act as backup servers for calls from other countries.

Zoom has seen its fair share of public criticism. The questions and investigations into their security and privacy practices have been important and valid. Zoom has been quick to respond to these concerns, figuring out and implementing bug fixes or offering advice about how to avoid such problems in the future. Zoom founder Eric Yuan wrote a company blog post on April 1 entitled, “A Message to Our Users.” In the post, Yuan summarizes what measures they have taken to resolve issues in the past and provides an outline of their current plan to fix future concerns. They have enacted a feature freeze, promise to conduct “a comprehensive review with third-party experts”, and will create a transparency report about their privacy practices. 

Zoom’s ease of use, plethora of advanced features, and extensive customization options have made it the premier video conferencing software currently in use. Their security issues have mostly been resolved up to this point, but it is still important for businesses, especially those that frequently handle highly-sensitive information, to review the privacy features of any program they plan to use. 

Now that remote work is common enough to necessitate some sort of video conferencing abilities for the majority of companies currently operating, keeping information secure has become more difficult. If the information contained in your meetings isn't sensitive, Zoom may be a solid option because of its other advantages. However, if information security is more of a priority, it may not be the right choice, at least until a more thorough review can be completed.